Recent news that a bot infected a test server for the Healthcare.gov website points to failure of governance. Details of the Target, Community Health Systems, and Home Depot breaches also point to governance failures. On the surface it may appear to be a technical vulnerability. However, the problem is that too many healthcare and other organizations implement cyber security at the end of the development cycle, not at the beginning; they do not bake cyber security into all their business and development processes. They also tend to view the cost of cyber security as an unnecessary evil instead of a vital component of their business strategy. It is a failure of corporate leadership and governance -- not technology.
The telltale sign: This was a test server and was never supposed to be connected to the Internet -- apparently an adequate justification for many people. My question: Why does the test server not have the same security features of the production server that is connected to the Internet? The excuse I typically hear is that developers build these servers at will and do not install all appropriate security patches and features in the interest of expediency. A specialized team of people applies patches, fixes, and system hardening techniques much later. That is a failure of governance and leadership.
There are a few major problems with this patch-later approach:
- There is hardly enough time to do an adequate job of security testing of the system and this testing invariably conflicts with the production schedule, so senior executives (non-IT) make many compromises in the interest of launching on the advertised target date.
- Once IT applies some fixes, they tend to break some functionality, introduce new bugs, or produce several unexpected results.
- There is a high degree of friction between the developer team and the security team, both of which tend to forget they are on the same team.
- Training environments become completely unrelated to reality.
Every server must have standards that they adhere to, and anyone configuring a server has to adhere to those standards. This is standard operating procedure. It is imperative that healthcare organizations bake cyber security into the process at the beginning and not at the end. The advantages of this approach include:
- Cyber security becomes everyone’s responsibility, not just the "security team’s" job.
- The developer team and the security team establish a symbiotic relationship from the start.
- The organization establishes an engrained culture of appropriate cyber security and risk management.
- Nobody needs to fear even "accidental" connections of test servers to the Internet.
- The risk of future functionality problems or the danger of introducing new bugs is reduced.
- Training can occur on systems that are more realistic.
- Target deadlines for production do not compete with system security.
This is not an issue that can be fixed technically -- and organizations or politicians should not look for answers there. What we need is an organization's senior level business leaders to accept that cyber security is a risk management business process. For that, they must understand cyber security leadership at a business level. Business leaders need to implement a governance framework that makes cyber security a culture within the organization.
Do you need a deeper leadership bench? Send your most promising leaders to our InformationWeek Leadership Summit, Sept. 30 in New York City, for a day of peer learning and strategic speakers.